When a device connects to one or more computer networks, the device may be authenticated, authorized, and its activities on the one or more computer networks may be accounted for. Such a process is commonly referred to as Authentication, Authorization and Accounting (“AAA”; Accounting may be referred to alternatively as Auditing).
Authenticating a device prior to granting access to a computer network generally protects the network from unauthorized access. Before the device may gain access to the network, the device may be required to provide a credential, used to authenticate the device to the computer network. If the credential is recognized and deemed authentic, the device may be permitted access to the network. A credential may be a username and a password submitted from a user of the device, a digital certificate related to the device or the user thereof, a MAC address of the device, or the like.
Many different network authentication protocols and access policies are well-known and, accordingly, need not be set forth herein in detail. However, several different commonly encountered authentication protocols are generally described below to highlight the advantages and features of various embodiments.
One well-known standard that includes authentication is IEEE 802.1X. IEEE 802.1X provides a framework for several different authentication methods so that a Network Access Controller (“NAC”), such as a router, wireless access point, virtual private network (“VPN”) device, or other similar device designed to facilitate access to a network, need not be cognizant of the authentication protocol being used. Instead, the NAC simply unpacks and repackages Extensible Authentication Protocol (“EAP”) packets received from a device attempting to connect to a network and forwards the packets to a server that will perform the authentication.
In the terminology of the 802.1X standard, the connecting device to be authenticated may be called a supplicant. The server doing the authentication, such as a Remote Authentication Dial-In User Service (“RADIUS”) server, may be called the authentication server. The device in between a supplicant and the authentication server, such as a wireless access point or port of a NAC, may be called the authenticator. An advantage of the 802.1X standard is that the authenticator may simply pass frames encapsulating the EAP packets between the supplicant and the authentication server.
When a device connects to a computer network, the authenticator may send an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the link is active (e.g., a laptop computer with wireless capabilities establishes a wireless connection with a wireless access point). In situations where the authenticator supports local authentication methods, it may examine the type field of the response sent from the supplicant to determine whether to act on the packet itself or forward it to an authentication server. If the authenticator forwards the packet to the authentication server, the authentication server may send a challenge back to the authenticator, such as with a token password system, which the authenticator may forward to the supplicant.
Different authentication methods may vary this message, as well as the total number of messages required for authentication. EAP supports client only authentication and strong mutual authentication, the latter being particularly useful for wireless networks. The supplicant may respond to the challenge via the authenticator, which may forward the response to the authentication server. If the supplicant provides a valid credential, the authentication server may respond with a success message, which may be sent to the authenticator, which may in turn allow access to the computer network. As noted above, RADIUS is a common authentication protocol utilized by the 802.1X standard.
After authentication, authorization of a connecting device to a computer network provides for further control of connecting device's use of the computer network, including which network resources the device may access based on any number of user, device or network characteristics related to the device. In many ways, authorization is similar to authentication. However, authentication verifies that a particular device or the user of a device is who/what it purports to be. In contrast, authorization is the process of determining whether the authenticated device has the authority to perform a given operation or access a particular network resource.
Authorization standards may be described in ways similar to authentication standards. Once a user or device is authenticated, the NAC may take on the role of a policy enforcement point (“PEP”), and the authentication server (e.g., an AAA server such as a RADIUS server) may begin operating as a policy decision point (“PDP”). A PDP may be configured to store one or more authorization policies comprised of one or more rules, and to decide whether an authenticated device is permitted access to a particular resource by comparing characteristics of the device (or the user thereof, hereafter referred to as authorization information) to the rules of the authorization policies. The PDP may communicate its decision to the PEP at which the user or device is connected to the network, and the PEP may enforce the PDP's decision.
A further component of many authorization systems is a policy information point (“PIP”), which may be a role adopted by an authentication database from the authentication processes described above. Authorization information contained in PIPs (e.g., groups of which a user is a member, the user's role in a corporation, etc.) may be accessed by PDPs to make policy decisions.